Oracle provides Advanced Security in their enterprise database software package. Well, it's in all the stuff they release you just have to be sure you pay the tithe or Larry Ellison will come eat your first born child.
This even extends to their JDBC driver, which just got support for using AES with Oracle 12c.
For reasons only Satan and Ellison himself will understand, to use AES, you HAVE to configure the Oracle client to do checksum validation.
The WTFs are:
Why isn't this documented?
Not configuring checksum validation generates an error in the alert log per connection. Only DBAs would look at this log. If they even know it exists.
This EXACT SAME ERROR is documented by Oracle for 11g and 11gr2 services. The fix? Use 3DES168, what could go wrong?
The connection isn't refused (which is the expected behavior if SQLNET settings don't line up).
Luckily(?) the application I work on is a service and only polls Oracle every 5 seconds. Not like we'll run out of disk space in a few months if this went unnoticed...